Details are given in Microsoft's ADV190005 security recommendation as follows:
"HTTP / 2 allows the client to specify any number of SETTINGS frames with any number of SETTINGS parameters. However, in some cases, excessive installation may cause services to become unstable. and thus lead to CPU usage temporarily spike until the connection time runs out and the connection is closed ".
As a way to improve the situation, Redmond's security team "has added the ability to specify thresholds for the number of HTTP SETTINGS / 2 in the request", threshold levels must be set by the IIS administrator after evaluation. The environment and HTTP / 2 on their systems require protocols, as they will not be preconfigured by Microsoft.
MySQL vulnerabilities allow malicious servers to steal data from customers
To set these limits, Microsoft has added the following registry entries to vulnerable Windows 10 releases:
Data : The minimum supported value is 7. The smaller value is cut to the minimum value.
After the thresholds are placed on the Windows system running IIS, the connections will be immediately canceled if:
If a single Setting frame contains more settings than the "Http2MaxSinstallPerFrame" value.
If the number of parameter settings in many Setting frames is received within one minute, pass the "Http2MaxSinstallPerMinute" value.
Besides, according to Microsoft, it should be noted that you may have to restart the service or restart the server so that the newly added registry values can be read.
Microsoft shook hands with VirusTotal in resolving malicious code issues that affected MSI files
Running Windows servers that were previously exploited by the attacker with the help of zero-day in IIS 6.0 will affect WebDAV services by default in all IIS distributions, from July 7 2016 to March 2017.